Spoofing Attacks – ARP Spoofing

How attacker can launch man in the middle attack using ARP spoofing and what is ARP spoofing?Attackers can attempt to launch an attack by sending gratuitous ARP – GARP replies. GARP reply messages are sent from some device in the network to other without the prior receiving of a request for sending a ARP reply. Is an ARP reply without cause. This reply without cause can tell network devices that the attacker’s MAC address corresponds to specific IP addresses that is actually IP address of some other device in the LAN.

Purpose of ARP requests in network is to give to the device appropriate mapping of MAC address to IP address. In other words, when a network device needs to find out the MAC address that corresponds to an IP address, the device can send an ARP request. In that moment the device that has an address that we seek replies to the requesting device with an ARP reply. The ARP reply contains the requested MAC address.

Hm? But how?

Attacker can send gratuitous ARP in which he is telling to some device in the network, let’s say a PC that he is default gateway for this LAN. Attacker will be able to convince that PC that the attacker’s MAC address is the MAC address of the PC’s default gateway. The PC will start to send traffic to the attacker every time he needs to send something out of the LAN. The attacker will try to read packets but enable the communication of that PC with the internet. In this manner the attacker will not cause that the PC don’t have a internet connection. The PC user will actually not notice the attack and the attacker will be free to capture the traffic and then forwards the traffic to the appropriate default gateway.

On the picture we have the default gateway with IP address 192.168.0.1. Attacker will sends GARP messages to PC1 with the information that the MAC address corresponding to 192.168.0.1 is on MAC address BBBB.BBBB.BBBB. And that is actually the attacker’s MAC address. The attacker will send GARP messages to the default gateway to and he will convince the default gateway router that MAC address corresponding to PC1 is BBBB.BBBB.BBBB. This is called ARP cache poisoning. In this case ARP cache poisoning will enable that PC1 and Router1 can exchange traffic via the attacker’s PC without notice it. This is why this type of ARP spoofing attack is considered to be a man in the middle attack.